Digital printing technology has enabled mailers to implement digital, i.e. bit map addressable, printing in a convenient manner. It has been found to be desirable to use such techniques for the purpose of evidencing payment of postage. Technological advances in digital printing technology has made it possible to print postage indicia that is unique for each mailpiece. A computer driven printer can print, for example, a postal indicia in a desired location on the face of a mailpiece. The indicia is unique because it includes information relating directly to the mailpiece, for example, postage value, date, piece count and/or origin postal code.
From a Post Office's perspective, it will be appreciated that the digital printing and scanning technology make it fairly easy to counterfeit a postal value bearing indicia since any suitable computer and printer may be used to generate multiple copies of an image.
In order to validate a mailpiece, that is to ensure that accounting for the postage amount printed on a mailpiece has been properly done, it is known that one may include as part of the franking an encrypted number such that, for instance, the value of the franking may be determined from the encryption to learn whether the value as printed on the mailpiece is correct. See, for example, U.S. Pat. Nos. 4,757,537 and 4,775,246 to Edelmann et al., as well as U.S. Pat. No. 4,649,266 to Eckert. It is also known to authenticate a mailpiece by including the address as a further part of the encryption as described in U.S. Pat. No. 4,725,718 to Sansone et al. and U.S. Pat. No. 4,743,747 to Fougere et al.
U.S. Pat. No. 5,170,044 to Pastor describes a method and apparatus for the representation of binary data in the form of an indicia comprising a binary array of pixels. The actual arrays of pixels are scanned in order to identify the provider of the mailpiece and to recover other encrypted plain text information. U.S. Pat. No. 5,142,577 to Pastor describes various alternatives to the DES encoding for encrypting a message and for comparing the decrypted postal information to the plain text information on the mailpiece.
U.S. Pat. No. 5,390,251 to Pastor et al. describes a system for controlling the validity of printing of indicia on mailpieces from a potentially large number of users of postage meters including apparatus disposed in each meter for generating a code and for printing the code on each mailpiece. The code is an encrypted code representative of the apparatus printing the indicia and other information uniquely determinative of the legitimacy of postage on the mailpieces.
A digital meter provides evidence of the payment of postage by signing the postal information on the envelope with two "digital tokens." One digital token provides evidence to the postal service, and the second digital token provides evidence to the vendor, such as the assignee of the present invention. A digital token is a truncation of the result of encrypting indicia information including, for example, postage value, piece count, date of submission, and originating post office.
A new class of digital meters is being developed that employ cryptographic means to produce evidence of postage payment. The encryption is performed using a cryptographic key. In each digital meter, independent keys are used for generating the digital tokens. For security reasons, the keys in different meters are also independent. Information about the meter and mail piece are combined and encrypted with vendor and postal master keys or keys derived therefrom. Portions of the resulting information are printed on the mail piece as digital tokens. The information and tokens can be verified by a device that processes the information in the same manner and compares the resulting digital tokens with those printed on the mail piece.
A key management system is needed to distribute cryptographic keys to digital meters in a secure and reliable manner. The key management system must include means for verifying indicia and digital tokens to detect the fraudulently generated of indicia and duplicated indicia.
It is desired that the key management system have the capability to manufacture meters without assigning meters to a destination country, i.e. manufacturing generic meters that could be inventoried. However, manufacturing generic meters creates a problem that suggests either the need to install keys in the field, or the need to translate keys between domains. Either alternative presents a significant security and key integrity threat. It is desired that a key management system include means that avoids such problems.